f1e2da6079d1701943e03bf6b177df35c13211f8b9f6dfea92aa6832183c97f2

General

Target

a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
Size

15KB
MD5

a70c8dd4639b25a4545f397d1233fad7
SHA1

fb82e4f16ec047dc4ec4b13632408e8a1f0db2d1
SHA256

f1e2da6079d1701943e03bf6b177df35c13211f8b9f6dfea92aa6832183c97f2
SHA512

024fdc137b1111b063ea68e0a91de2239e98ead29e124988b54facdae33554d0c5b1a50ccdc271ee2b6cd4234baa6e9acd519cb2979841959adc7650a0cfe2ef
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2HR:hDXWipuE+K3/SSHgxmKEx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2948	DEM62C8.exe
1244	DEMB838.exe
1856	DEMDA7.exe
1512	DEM6307.exe
1380	DEMB819.exe
2136	DEMD4A.exe

Loads dropped DLL 6 IoCs

pid	Process
2852	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
2948	DEM62C8.exe
1244	DEMB838.exe
1856	DEMDA7.exe
1512	DEM6307.exe
1380	DEMB819.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDA7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6307.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM62C8.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2948	2852	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2948	2852	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2948	2852	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2948	2852	a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe	31
PID 2948 wrote to memory of 1244	2948	DEM62C8.exe	34
PID 2948 wrote to memory of 1244	2948	DEM62C8.exe	34
PID 2948 wrote to memory of 1244	2948	DEM62C8.exe	34
PID 2948 wrote to memory of 1244	2948	DEM62C8.exe	34
PID 1244 wrote to memory of 1856	1244	DEMB838.exe	36
PID 1244 wrote to memory of 1856	1244	DEMB838.exe	36
PID 1244 wrote to memory of 1856	1244	DEMB838.exe	36
PID 1244 wrote to memory of 1856	1244	DEMB838.exe	36
PID 1856 wrote to memory of 1512	1856	DEMDA7.exe	38
PID 1856 wrote to memory of 1512	1856	DEMDA7.exe	38
PID 1856 wrote to memory of 1512	1856	DEMDA7.exe	38
PID 1856 wrote to memory of 1512	1856	DEMDA7.exe	38
PID 1512 wrote to memory of 1380	1512	DEM6307.exe	40
PID 1512 wrote to memory of 1380	1512	DEM6307.exe	40
PID 1512 wrote to memory of 1380	1512	DEM6307.exe	40
PID 1512 wrote to memory of 1380	1512	DEM6307.exe	40
PID 1380 wrote to memory of 2136	1380	DEMB819.exe	42
PID 1380 wrote to memory of 2136	1380	DEMB819.exe	42
PID 1380 wrote to memory of 2136	1380	DEMB819.exe	42
PID 1380 wrote to memory of 2136	1380	DEMB819.exe	42

C:\Users\Admin\AppData\Local\Temp\a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a70c8dd4639b25a4545f397d1233fad7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\DEM62C8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM62C8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\DEMB838.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB838.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\DEM6307.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6307.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\DEMB819.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB819.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM62C8.exe

Filesize
15KB

MD5
7e68cc6ea1ca46b3d8bb07c6a0a25f2e

SHA1
441f97523392e3d20e9860c63d7d4fc94d6cd84f

SHA256
87221b6afac66760025a3e89d629bc4d0cfaa6ede5a0834deda268d0a1e52a29

SHA512
89b7d3578e4c5744de76668ada3221ce83736be959000671a24669dc51fd875293425b62b68881b2d789fb78ba749a52da989ff768515c98bd030b53dd49fd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6307.exe

Filesize
15KB

MD5
0623e36ab87887a165b56b88f693e5cd

SHA1
22ed2722b7e7edaa00ce42c2eab21658cfc7f67b

SHA256
432b7cf9f98d244b8df62b9959f575b58ea4c7247584546d06b6af55dfb10983

SHA512
ea1d164102d4c2ba656f0b0b9be43a806f50928fac3d696308a38f3207221bc21670341e9b31c8e9e53d9d3541c5169abeb9886648d70fa27b066d716a33bf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB819.exe

Filesize
15KB

MD5
848515953c3b39dc4b5dbe86cc2a36cc

SHA1
d3907f90c463812b21435c3369e4f9fb7b027909

SHA256
4f90b8e39d0c93215eb259dc2af07a6a138aba7703e21f58bd186ba208507668

SHA512
d2dd95883b093bf8afa5384abe0bae81090b1b6c4ef07fd893d2a6b1d086eb796c3b2e008b1bd3afca76960a4ce0dd3f3b78dcbfbe7ab4bae460b6c144dc25f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB838.exe

Filesize
15KB

MD5
1e772f1db9a5f6fb8bef17d612b36532

SHA1
c68f4d003897beb7b1554d04d4eaf46d306510ed

SHA256
517226e1186be3b4cc31b36c37d5d7bd6be9358141966bea77d08bebd9dc8a43

SHA512
b8368c24ac893944fb0e5eb4f8b557f3afa37ca926523e85cd280c91a9697993cc0ed769a4b0eaf04a47cf9904d56404c5d9b3f472a0640c3f6e277ab4a9f779

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe

Filesize
15KB

MD5
47c3eef271bc6a9b8780664745b98113

SHA1
d0810466f59132450a8abc36abb2d156d41fa064

SHA256
7b921020787db38a270f14f06e7deb30cb16952897cb70542ddf634d58f72726

SHA512
dee6fdda2e7dbce09a5a21d0b971df5d1cafc2ddaae66f6cb603a056411cb7ef7b2e92b7c0d879037d1b674e6a8c3f12b6d7ebaf3e0da032f1c49ff9602ddd2f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD4A.exe

Filesize
15KB

MD5
6586803c390487a2487d9dffd029b921

SHA1
264a943618b376a3c345d3761769da76f765f7d1

SHA256
42bc0f58aa6a2af3d4d599ba0c24cbb4e7b6c4280e159a1f8f2a2fda2d669bfe

SHA512
58b9ca05966ad104946992d1c0b33b5ae1139add6bd6a6273a2bf4837458c863216490ad7e064a9330c00aceb110f56ce45812c6bf86989319b4cb6aa967511d

Download Submit

Analysis

Sharing